Q: With the advent (and ever-increasing features) of Permission Sets, how many Profiles should I assign my users to?

A: Louise Lockie’s terrific Dreamforce ’23 presentation, Architect a Permission-Set-Led Security Model (pp 29-34), advocates slimming down to three Profiles:

• System Administrator (standard or custom)
• API/Integration Profile (custom, using “Salesforce Integration” User License)
• User Profile (custom, cloned from “Minimum Access – Salesforce” Profile)

The latter two Profiles should grant

1. the barest-bones permissions and object/field access (when in doubt, leave it out!), with
2. whatever Login/Session/Password settings adhere to your organization’s security policy.

Everything else can be granted by Permission Sets. Don’t forget to leverage features like

• Permission Set Groups — to define a collection of Permission Sets that apply to a generalized Role like Sales Rep, Customer Support Rep, or Sales Manager. (Don’t forget the power of muting!)
• User Access Policies — to assign Permission Sets and Permission Set Groups programmatically (eg, “if user has a ‘Sales Rep’ Role, assign them the ‘Sales Rep’ Permission Set Group”).

---

Three more random thoughts:

1. User Access Policies is the feature I have really high hopes for. Programmatically assigning Permissions is huge. Sadly, at least as of this writing (2023-11-14), the feature still has some glaring omissions. In particular,
   • it doesn’t support OR boolean logic,
   • nor does it support specifying multiple values for fields like Department.
2. I encourage you to name API/Integration Users with a consistent naming scheme that makes ’em easy to pick out. Personally, I set such users’
   • First Name to null, and
   • Last Name to “API User: [System]”, like “API User: NetSuite”.
3. Supporting materials from Louise Leckie’s presentation can be found at bit.ly/PS-LL. So gratifying to see someone else is a Bitly fan!